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ABSTRACT 



A multi-level security apparatus and method for a network 
employs a secure network interface unit (SNIU) coupled 
between each host or user computer unit and a network, and 
a security management (SM) architecture, including a secu- 
rity manager (SM) coupled to the network, for controlling 
the operation and configuration of the SNIUs coupled to the 
network. Each SNIU is operative at a session level of 
interconnection which occurs when a user on the network is 
identified and a communication session is to commence. 
When an SNIU is implemented at each computer unit on the 
network, a global security perimeter is provided. In a 
preferred embodiment, the SNIU is configured to perform a 
defined session level protocol (SLP), including the core 
functions of user interface, session manager, dialog 
manager, association manager and data sealer, and network 
interface. The SM architecture is implemented to ensure user 
accountability, configuration management, security 
administration, and validation key management on the net- 
work. The SM functions are distributed over three platforms, 
i.e., a SNIU security manager (SSM), an area security 
manager (ASM), and a network security manager (NSM). 

54 Claims, 14 Drawing Sheets 
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APPARATUS AND METHOD FOR 
PROVIDING NETWORK SECURITY 

This application is a continuation of Ser. No. 08/270,398, 
now U.S. Pat. No. 5,577,209, filed Jul. 5, 1994, which is a 
division of U.S. Ser. No. 07/728,633, filed Jul. 11, 1991, now 
abandoned. 

FIELD OF THE INVENTION 

The present invention relates in general to secure and 
multi-level secure (MLS) networks and in particular to 
apparatus and method for providing security and multi-level 
security for a non-secure network. 

BACKGROUND OF THE INVENTION 

Multi-level secure (MLS) networks provide a means of 
transmitting data of different classification levels (i.e. 
Unclassified, Confidential, Secret and Top Secret) over the 
same physical network. To be secure, the network must 
provide the following security functions: data integrity 
protection, separation of data types, access control, authen- 
tication and user identification and accountability. 

Data integrity protection ensures that data sent to a 
terminal is not modified enroute. Header information and 
security level are also protected against uninvited modifi- 
cation. Data integrity protection can be performed by check- 
sum routines or through transformation of data, which 
includes private key encryption and public key encryption. 

Separation of data types controls the ability of a user to 
send or receive certain types of data. Data types can include 
voice, video, EMail, etc. For instance, a host might not be 
able to handle video data, and, therefore, the separation 
function would prevent the host from receiving video data. 
The system should include sequential review prior to data 
release where a plurality of users would review the data to 
approve release prior to actual release and the use of data 
type to separate management type data from ordinary user 
traffic. 

Access control restricts communication to and from a 
host. In rule based access control, access is determined by 
the system assigned security attributes. For instance, only a 
user having Secret or Top Secret security clearance might be 
allowed access to classified information. In identity based 
access control, access is determined by user-defined 
attributes. For instance, access may be denied if the user is 
not identified as an authorized participant on a particular 
project. For control of network assets, a user may be denied 
access to certain elements of the network. For instance, a 
user might be denied access to a modem, or to a data link, 
or to communication on a path from one address to another 
address. 

Identification of a user can be accomplished by a unique 
name, password, retina scan, smart card or even a key for the 
host. Accountability ensures that the a specific user is 
accountable for particular actions. Once a user establishes a 
network connection, it may be desirable that the user's 
activities be audited such that a "trail" is created. If the 
user's actions do not conform to a set of norms, the 
connection may be terminated. 

Currently, there are three general approaches to providing 
security for a network: trusted networks, trusted hosts with 
trusted protocols, and encryption devices. The trusted net- 
work provides security by placing security measures within 
the configuration of the network. In general, the trusted 
network requires that existing protocols and, in some cases, 
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physical elements be replaced with secure systems. In the 
Boeing MLS Lan, for instance, the backbone cabling is 
replaced by optical fiber and all access to the backbone is 
mediated by security devices. In the Verdi x VSLAN, similar 

5 security devices are used to interface to the network, and the 
network uses encryption instead of fiber optics to protect the 
security of information transmitted between devices. 
VSLAN is limited to users on a local area network (LAN) 
as is the Boeing MLS Lan. 

10 Trusted hosts are host computers that provide security for 
a network by reviewing and controlling the transmission of 
all data on the network. For example, the U.S. National 
Security Agency (NSA) has initiated a program called 
Secure Data Network System (SDNS) which seeks to imple- 

15 ment a secure protocol for trusted hosts. In order to imple- 
ment this approach, the installed base of existing host 
computers must be upgraded to run the secure protocol. 
Such systems operate at the Network or Transport Layers 
(Layers 3 or 4) of the Open Systems Interconnection (OS I) 

20 model. 

Encryption devices are used in a network environment to 
protect the confidentiality of information. They may also be 
used for separation of data types or classification levels. 
Packet encryptors or end-to-end encryption (EEE) devices, 

25 for instance, utilize different keys and labels in protocol 
headers to assure the protection of data. However, these 
protocols lack user accountability since they do not identify 
which user of the host is using the network, nor are they 
capable of preventing certain users from accessing the 

30 network. EEE devices typically operate at the Network 
Layer (Layer 3) of the OSI model. There is a government 
effort to develop cryptographic protocols which operate at 
other protocol layers. 

3S It would be highly desirable to provide multi-level secu- 
rity in a non-secure environment, i.e.. where both the 
network and the hosts are not trusted, so that existing hosts 
and network assets would not have to be replaced by trusted 
hosts or secure network assets. It is also required that such 

40 an MLS system must provide user accountability and data 
integrity during all phases of operation within the network. 

SUMMARY OF THE INVENTION 

In accordance with the present invention, a network 

45 security apparatus and method for a network comprises a 
secure network interface unit (SNIU) coupled between each 
host or user computer unit, which may be non-secure, and a 
network, which may be non-secure, and a security manage- 
ment (SM) architecture, including a security manager (SM) 

50 connected to each of the SNIUS for controlling their opera- 
tion and configuration on the network. Each SNIU is opera- 
tive at a session layer of interconnection which occurs when 
a user on the network is identified and a communication 
session is to commence. When an SNIU is implemented at 

55 each computer unit to be secured on the network, a global 
security perimeter is provided for ensuring security policy 
enforcement, controlled communication release, controlled 
communication flow, and secure session protocols through 
each computer unit interface. The SM architecture is imple- 

60 mented to ensure user accountability, configuration 
management, security administration, and cryptographic key 
management among the SNIUS. 

In a preferred embodiment, the SNIU is configured to 
perform a defined trusted session layer protocol (TSP), 

65 including the core functions of user interface or service 
interface, session manager, dialog manager, association 
manager, data sealer, and network interface. The user/ 
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service interface functions allow a user to access the net- (4) transport; (5) session; (6) presentation; and (7) applica- 

work through the SNIU, including translating data to the tion. In the present invention, the network security measures 

format used in the SNIU, passing data between the computer are implemented at the Session Layer 5. The placement of 

unit and the SNIU, and providing access to communication security at the Session Layer allows existing network assets 

ports through the SNIU. Significant portions of the user/ 5 and existing network protocols at the Transport Layer 4 and 

service interface do not require the same level of trust as the lower to continue to be used, thereby avoiding the need to 

rest of TSP. This allows these portions to be logically and replace an installed network base for the implementation of 

physically separated from the rest of TSP without effecting the multi-level security system. The connected host or user 

the underlying security of the system as a whole. The session equipment and the network backbone are therefore not 

manager functions include user identification and audit, 10 required to be secure (trusted). Conventionally, OSI network 

session setup and termination, and issuing commands applications employ CCJTT X.215 which is a non-secure 

between the user interface and the dialog manager. The session layer protocol. None of the prior multi-level security 

dialog manager functions control the data path established in systems employ the security measures described herein in 

the SNIU, including dialog identification and audit, dialog the Session Layer. 

request validation, setup, and termination, applying and IS Referring now to FIG. 1, there is shown a network 
reviewing block headers for transmitted data, and issuing provided with a security system in accordance with the 
commands between the session manager and the association present invention. A plurality of host or user computer units, 
manager. The association manager functions control the sllcn as a terminal server TS, host unit S, host-server unit 
transmission of data on the data path with a remote SNIU, S-U, user unit U, or personal computer (PC), are coupled to 
including SNIU identification and audit, association request 20 a network through respective secure network interface units 
validation, setup, and termination, invoking and managing (SNIUs). Multi-user terminal, host or host server units are 
sealer keys for encrypting transmitted data, and issuing indicated by shaded squares, whereas single-user terminal, 
commands between the dialog manager and the network host personal computer, or user units are indicated by white 
interface. The network interface functions allow the trans- squares. The SNIUs encapsulate the network with a ring of 
mission of data and commands between the SNIU and the 25 secure units which enforce both discretionary and manda- 
network. tory security policies. The SNIUs provide security policy 
The Security Manager (SM) performs network security enforcement, a user communication release interface, con- 
functions, including security administration of the core trolled communication flow when interconnected to nonse- 
manager functions of the SNIUs, In the preferred cure other networks, and session security protocols. The 
embodiment, the SM functions are distributed over three 30 discretionary security policies are indicated as extending to 
platforms, i.e., a SNIU hosted SNIU security agent (SSA), the multi-user computer units which generally have some 
an area security manager (ASM), and a network security form of discretionary user access control, 
manager (NSM). The SSA exchanges data and commands Th e SNIU is capable of passing digital data, voice and 
with its assigned SNIU, and performs initialization, con- v jd C o traffic so as to provide the full functionality required 
figuration control, access control, public key management, 35 f or a Trusted Session Protocol (TSP). The TSP uses the 
audit/alarms, and other services for the SNIU. The ASM facilities of the lower level protocols to transmit data across 
manages the security functions for a group of SNIUs in a the network. To this end, and to provide flexibility, the 
defined area. The NSM manages the security functions of specialized network interface SNIU is designed to allow 
the ASMs for the network as a whole. coupling of the TSP with existing (non-secure) equipment 

40 and underlying network. 

BRIEF DESCRIPTION OF THE DRAWINGS A architecture( which incUldes a 

FIG. 1 is a schematic diagram of an MLS network system security manager SM coupled to the network, provides user 

in accordance with the invention. accountability, configuration management, security admin- 

FIG. 2 is a schematic diagram of a variation of the 45 Oration and alarm handling, and sealer (cryptographic) key 

inventive concept as applied to an internetwork system. management. A host unit is not required to be trusted as the 

t-t^.o ia in .mn, . 4 * j * f SNIU prevents any traffic not destined for the host from 

FIGS. 3 A, 3B, and 3C are schematic diagrams of a secure ... \ . . i~ , , . , . A . . . 

1 • * r /oKrii t\ • j . ,t . * getting to the host. The network is not required to be trusted 

network interface unit (SNIU) in accordance with the inven- ° cktut * *l • j j * *u * i c 

v 7 as the SNIU prevents unauthorized data on the network from 

lon ' K getting to or from the host. 

FIGS. 4A-4F are schematic diagrams of the data and 5U n f . C1 „ - ... , . 

. ^ c A , ox m t Referring to FIG. 2, a variation is shown employing 

command structure of the SNIU unit. „ Knn f r # , # . A um oktifi • ~a 

SNIUs for internetwork connections. Abridge SNIU is used 

FIGS. 5A-5D are schematic diagrams of a security man- between two private networks (shaded ovals) using the same 

agement architecture in the present invention. security labeling semantics but which operate at two differ- 

FTGS. 6A and 6B illustrate the steps for a path setup in 5S ent protection levels. The networks may be controlled by a 

accordance with the MLS system of the present invention. single network security manager SM, or each network can 

have its own security manager SM. A gateway SNIU is used 

DETAILED DESCRIPTION OF THE between two networks using different security labeling 

EXEMPLARY EMBODIMENTS semantics, for example, a Type A network may use labels 

In the present invention, a secure network interface unit 60 ( To P Secret, Secret, Confidential, Unclassified) and a Type 

(SNIU) is used to control communications between a respec- B network may use the labels (Most Secret, Secret, 

tive host or user computer unit and the network at a "session Restricted, Confidential, Releasable). A guard SNIU is used 

layer" of interconnection which occurs when a user on the t0 support communications between a private network and a 

network is identified and a communication session is to public network. 

commence. For example, the industry -standard Open Sys- 65 The network security system of the invention is divided 

terns Interconnection (OSI) model, defines seven layers of a into two major functional areas: the Trusted Session Proto- 

network connection: (1) physical; (2) data link; (3) network; col (TSP) hosted by the SNIU, which is responsible for the 
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management of the data path and the passing of data; and the reuse protection may be implemented by port reuse 

Security Management architecture, consisting principally of protection, session reuse protection, dialog reuse protection, 

the Security Manager (SM), which is responsible for secu- and/or association reuse protection, 

rity management of the network. Labeling requires that each object within the network be 

The configuration of the TSP varies with the SNIU s labeled as -to its current level of operation, classification or 

environment As shown in FIG. 3A, the SNIU for a multi- accreditation range. Labeling may be provided in the fol- 

i . * i j c *™ „ n;.i™ lowing ways: user session security labeling, wherein each 

user host includes a Session Manager module a Dialog ^ ^ && iQ ^ c {^ c J on of lhe infor . 

Manager module, an Association Manager & Sealer module ovef whefein each 

and a Network Interface. A User Interface is provided with dia] fe ^ {Q ^ classification ^6 type of the 

the multi-user host. In FIG. 3B, the SNIU of a single-user 10 information 5eing passed over it; and host accred itation 

host incorporates the User Interface with the other functions. fangcs whcrc i n eac h host with access to the secured network 

As illustrated conceptually in FIG. 3C, the communication ^ ^ yen an accreditation range, and information passing to 

interface with the user is mediated by Session Manager, the or f Tom me host must be labeled within the accreditation 

interface with the network by the Association Manager, and range. 

the communication flow between the two ends by the Dialog ^ Identification is a process that enables recognition of an 

Manager. entity by the system, generally by the use of unique user 

For multi-user computers, incorporation of the User Inter- names. Authentication is a process of verifying the identity 

face with the host computer opens the memory resources of of a user, device, or other entity in the network. These 

the host to provide message boxes for all authorized users. processes may be implemented in the following ways: user 

The message boxes are protected by the discretionary access 20 identifications; user authentication; dialog source 

control policies of the host. In the special case of a personal authentication, wherein the source of all communication 

computer (PC), a multi-level release option may be provided paths is authenticated at the receiving SNIU before com- 

which allows the sending of messages at a security level munication is allowed; SNIU source authentication, wherein 

below the level at which the PC is operating. An interface to the source SNIU is authenticated before data is accepted for 

the SNIU is required to allow the operator to review the 25 delivery; and administrator authentication, wherein an 

message before release. administrator is authenticated before being allowed access to 

the Security Manager functions. 

Security System Policies ^ audit lrafl provides a chronological record of system 

The security system of the present invention may imple- 3Q activities that is sufficient to enable the review of an 

ment a number of security policies suitable to the circum- operation, a procedure, or an event. An audit trail may be 

stances of a given network environment. The major policy implemented via a user session audit, a dialog audit, an 

areas are: discretionary access control; mandatory access association audit, an administrator audit, and/or a variance 

control; object reuse; labeling; identification and authenti- detection, wherein audit trails are analyzed for variance from 

cation; audit; denial of service detection; data type integrity; 35 normal procedures. 

cascading control; and covert channel use detection. Denial of service is defined as any action or series of 
Discretionary access control is a means of restricting actions that prevent any part of a system from functioning in 
access to objects (data files) based on the identity (and need accordance with its intended purpose. This includes any 
to know) of the user, process, and/or group to which the user action that causes unauthorized destruction, modification, or 
belongs. It may be used to control access to user interface 40 delay of service. The detection of a denial of service may be 
ports based on the identity of the user. For a single-user implemented for the following condition: user session auto- 
computer unit, this mechanism may be implemented in the matic termination, such as when unauthorized access has 
SNIU, whereas for a multi-user host, the DAC control may been attempted; user machine denial of service detection, 
be implemented at the host machine. Discretionary access such as detection of a lack of activity on a user machine; 
control may also be implemented as discretionary dialog 45 dialog denial of service detection; association denial of 
addressing, wherein the addressing of all communications service detection, such as detection of a lack of activity 
originated by a user is defined, and for user discretionary between SNIUs; and/or data corruption detection, such as 
access denial, wherein a user may refuse to accept a com- when an incorrect acceptance level is exceeded, 
munication from another user. Covert channel use is a communications channel that 
Mandatory access control is a means of restricting access 50 allows two cooperating processes to transfer information in 
to objects based on the sensitivity (as represented by a * manner that violates the system's security policies. Detec- 
classification label) of the information contained in the tion of covert channel use may be implemented, for 
objects, and the formal authorization (i.e., clearance) of the example, by delay of service detection, such as monitoring 
user to access information of such sensitivity. For example, for unusual delays in message reception, or dialog sequence 
it may be implemented as dialog lattice-based access 55 error detectioQ . such as monitoring for message block 
control, wherein access requires a correct classification sequence errors. 

level, integrity level, and compartment authorization, dialog The functions of the Trusted Session Layer Protocol 

data-type access control, wherein correct data type authori- (TSP) performed by the secure network interface unit 

zation is required for access, and cascade protection, (SNIU) and the security management (SM) architecture will 

wherein controls are provided to prevent unauthorized 60 now be described. These functions are designed to imple- 

access by cascading user access levels in the network. ment many of the security policies described above. It is to 

Object reuse is the reassignment and reuse of a storage be understood that these functions are only illustrative 

medium (e.g., page frame, disk sector, magnetic tape) that examples of a wide range of security functions that can be 

once contained one or more objects to be secured from implemented using the SNIU/TSP and SM architecture, 

unauthorized access. To be secured, reused, and assigned to 65 Trusted Session Layer Protocol (TSP) and SNIU 

a new subject, storage media must contain no residual data The main functions of the TSP are to set up paths for data, 

from the object previously contained in the media. Object terminate paths for data, pass data over established paths, 
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and enforce security policies as directed by the SM, Sec- 
ondary functions of the TSP include interacting with the user 
machine, identifying the user and providing a data path 
between the user machine and the SNIU, identifying the user 
process and providing a secure data path between local and 5 
remote SNIUs, protecting data transiting the data path, and 
interacting with the network. 

To accomplish these functions, the TSP is divided into six 
sublayers: the User Interface; the Session Sublayer 
(Manager); the Dialog Sublayer (Manager); the Association 1Q 
(Manager) and Data Sealer Sublayer; and the Network 
Interface. FIGS. 4A-4F illustrate the operation at each of 
these sublayers in greater detail. For purposes of the fol- 
lowing description, a session is defined as a period of 
authorized network usage in which a user who conducts a 1S 
dialog has been identified and verified. A dialog defines a 
data path between a pair of processes. An association defines 
a data path between a pair of SNIUS, including any data 
sealer keys used in securing the data. 

In FIG. 4 A, the User Interface provides the means for the 20 
user to access the network. For multi-user hosts, the User 
Interface may reside within the host machine, whereas for 
single-user machines, the User Interface may reside within 
the SNIU coupling the user machine to the network. Com- 
munication with the network is provided via a number of 2 $ 
command ports, simplex receiving and sending ports, duplex 
ports, and a multicast send port. Multiple ports can be set up 
for each user. The User Interface communicates only 
through the Session Manager. It can perform the following 
functions: translating data from the format used in the user 30 
machine to the format used in the SNIU; passing data 
between the user machine and the SNIU; providing ports for 
communication between the user and the network through 
the SNIU; providing user information to the Session Man- 
ager; equalizing data loads when connected to a number of 35 
SNIUs; port management on command from the Session 
Manager; and discretionary access control. 

In FIG. 4B, the Session Manager manages the sessions 
with users. The Session Manager communicates with the 
User Interface, the Dialog Manager, and the SNIU Security 40 
Manager (SSM), The Session Manager has the following 
functions: user identification; audit; alarms; session setup 
and termination; session time out, wherein inactive sessions 
are terminated after a given amount of time; accepting 
session access requests to an existing session from a remote 45 
SNIU; commands to the Dialog Manager; maintenance of 
user access settings (passwords, access lists); passing data 
over an existing dialog between the User Interface and the 
Dialog Manager; and management of the User Interface, 
including commands for reinitialization, termination, and 50 
creation and deletion of ports. 

In FIG, 4C, the Dialog Manager supports duplex, simplex 
receive, simplex send, and multicast dialogs. The Dialog 
Manager communicates with the Session Manager, the 
Association Manager, and the SSM. During the establish- 55 
ment of a communications path, both discretionary and 
mandatory access control mechanisms are used to assure 
that there is no security compromise. The Dialog Manager 
includes the following functions: dialog setup and termina- 
tion; accepting a request to initiate or terminate a dialog 60 
from a remote SNIU; validating a dialog request using user 
access lists and process classifications; audits; alarms; 
assigning local dialog numbers and obtaining network dia- 
log numbers from a remote SNIU; identification of pro- 
cesses involved in a dialog; passing data over an existing 65 
association between the Session Manager and the Associa- 
tion Manager; applying and validating block headers for 



transmitted data; issuing commands to the Association Man- 
ager; requesting the SSM to validate user data; mapping 
dialog numbers to assigned port numbers; and acknowledg- 
ing the receipt of block data transmissions. 

In FIG. 4D, the Association Manager supports duplex, 
simplex send, and simplex receive associations with remote 
SNIUs. The Association Manager communicates with the 
Dialog Manager, the Sealer, and the SSM. It has the fol- 
lowing functions: association setup and termination; accept- 
ing a request to initiate or terminate an association from a 
remote SNIU; validating an association request according to 
the security policies of the network; audits; alarms; identi- 
fying remote SNIUs; passing data with other SNIUs over 
network facilities; invoking the Sealer and managing sealer 
keys for encrypting transmitted data; and issuing commands 
to the Network Interface. 

In FIG. 4E, the Sealer communicates with the Association 
Manager and the SSM, and has the following functions: 
storing all keys used in sealing data; performing the sealing 
and unsealing algorithms (e.g., key exponentiation) on a 
data block upon command from the Association Manager; 
and generating new keys for the SNIU upon command from 
the SSM. The Association Manager, in conjunction with the 
Sealer, provides integrity protection and assures that the data 
is delivered to the correct destination. The Sealer uses keys 
to transform the entire data block. Alternatively, one could 
perform a sum check on the data and seal the sum check as 
is known in the art. When the data block is passed through 
the Sealer or a MDC upon reaching its destination, the block 
is unsealed. Any remaining errors are considered security 
events. 

In FIG. 4F, the Network Interface to the network com- 
municates only with the Association Manager, and has the 
following functions: passing data and information between 
the Association Manager and the network; and passing 
commands from the Association Manager to the network. 

Security Management Architecture and SM 
The security management architecture includes the Secu- 
rity Manager (SM) which performs the network security 
functions. As illustrated in FIG. 5A, the SM functions are 
distributed over three platforms: a SNIU security manager 
(SSM); an area security manager (ASM); and a network 
security manager (NSM). The distributed platforms provide 
fault tolerance to the security system. The SM platforms 
communicate with each other using the TSP described 
above. The SM's primary functions include system 
initialization, network recovery, network expansion/ 
contraction, audit/alarms, key management, configuration 
control, access control, system administration, directory 
services, time coordination, and internetwork support. 

For system initialization, initial keys, element 
identifications, and software loadings must be generated and 
distributed to the subordinate elements of the network 
system. SNIUs must be initialized. All initial network topol- 
ogy information must be entered into the system. The 
network is initialized by subordinate elements establishing 
dialogs with their primary controlling agents. Under this 
approach, each of the SNIUs will be powered up, keyed, 
then will seek to establish a dialog with its assigned ASM. 
If unsuccessful, the SNIU may periodically attempt to 
establish a dialog with the primary or an alternate ASM until 
it has succeeded. After successful setup, the operational 
configurational information is downloaded to the respective 
SNIUs. The ASMs are initialized in an analogous manner by 
the NSM. Initialization of the system elements from the 
bottom up eliminates unnecessary network overhead. 
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In the event of single ASM failures, the network can network of similar security semantics, all users are provided 
continue to operate virtually unaffected. Automatic proce- the address of the bridge SN1U for communications, A 
dures are effected for switchover to an alternate ASM or gateway SNIU is similar to a bridge SNIU with the excep- 
re-entry of a failed ASM. The affected SNIU seeks an &on of the requirement to determine the semantic equiva- 
alternate ASM, establishes a new association, and uploads 5 lents. In addition, the gateway SNIU is initialized and 
the current configuration data. For re-initialization of an controlled by two NSMs. When communicating to an alien 
ASM, the ASM attempts to come on line, negotiates SNIU (non-secure) network, the guard SNIU treats the alien net- 
pairings with all other ASMs, establishes associations with work as a large host. However, no user responsibility is 
the assigned SNIUs, and commands the SNIUs to switch to expected on the alien network. The guard SNIU provides the 
a new primary agent. Similar procedures are used for new io security and connectivity only to the network, not any 
assignments in network expansion or contraction. remote host. 

The SM also collects and stores the audit information Examples of System Implementation 

generated by the SNIUs in response to the SM's criteria. As In Qrder tQ iUustrate the ^1^^ of a connection 

illustrated in FIG. 5B, audit data are captured locally, at the usi me Trusted Sesskm u Protoco] of an SNIU 

SNIUs, collected at the intermediate ASMs, and analyzed 15 & ^ ^ ^ ^ ^ and a network) dther of 

centrally at the NSM. The SM also detects when an alarm which may be non . secured) tne following example of a path 

has occurred and determines the most appropriate action to selup for a commurjication on me network is described in 

take to resolve the problem When no automated solution is slep . by . stcp fashion . In an actua i implementation, the user 

possible, the SM presents the problem to the security admin- ho&{ ^ a terminal of Digital Equipmenl Corporation, 

istrator for resolution. The communication link is a RS-232 serial line, at a line 

For key management, the SM is responsible for the speed of 9600 bits/sec. The User Interface resides within the 

generation, distribution, accounting, and destruction of key SNIU. The network is a TCP/IP Ethernet LAN. The Network 

certificates that ensures the system integrity. As illustrated in Interface resides in the SNIU and is connected to the 

FIG. 5C, the NSM generates initial RSA key pairs and network by a Racal/Interlan TCP/IP Ethernet card (Model 

certificates. The SNIU sends a public key in response to a NP627). 

NSM key request. The NSM returns a new certificate if the In mG 6A, the steps for a path setup by a sender are 
public key is validated. In addition, the NSM dictates when illustrated. At Al, the user requests a session before being 
keys are to be generated by the SNIUs. The SNIUs contain gra nted access to the network. The User Interface translates 
all the hardware and algorithms necessary to generate the ^ the data at A2) and prov ides the user information to the 
key pairs. With the exception of the initial key pairs, the Session Manager at A3. The Session Manager requests user 
secret keys will not be known outside of the local SNIU. information from the Security Manager at A4, and the 
For configuration control, all system elements are respon- Security Manager returns the information at A5. The Session 
sible for maintaining the operational configuration informa- Manager validates the user at A6, then sets up a session at 
tion necessary for establishing and continuing secure com- 35 A7. If unable to validate the user, an audit message is 
munications. A hierarchy of privileges is maintained, generated and the user is denied access. The Session Man- 
including: host privileges, such as host accreditation range, a ger sends an audit message of the session setup to the 
SNIU addresses, classification of host, host name, and data Security Manager at A8. 

type authorizations; user/applications privileges, such as The user men sends a dialog request at A9. The Dialog 

user/application authorization range, host association, data 4Q Manager identifies the sending process at A10, and requests 

type authorization, user application name, and user audit destination information from the Security Manager at All, 

switch; and SNIU privileges, such as SNIU ID/type, net- which the Security Manager provides at A12. The Dialog 

work address, audit event selection list, user list, and Manager then issues an association setup command to the 

accreditation range. Association Manager at A13. The Association Manager 

The SM can support full system administration capabili- 45 sends out a certificate at A14 and an association setup 

ties to the network, including health and status polling, message at A1S to the destination on the network. The 

privilege management, and backup management. As in the Association Manager then receives a return certificate from 

case of audits described above, the status data is captured the remote SNIU of the destination address at A16 and an 

locally at the SNIUs, collected at the intermediate level of association setup acknowledgement at A17. The Association 

the ASMs through polling, then analyzed for reassignments 50 Manager commands the Sealer to unseal the certificate at 

at the NSM. A18 and validates the unsealed certificate at The Association 

The SM also provides directory services to the TSP in Manager commands the Sealer to unseal the association 

support of association setup, as illustrated in FIG. 5D. A setup acknowledgement at A20 and sets up the association 

directory resides on a primary ASM for a given SNIU. When at A21. The Association Manager then sends an audit 

the SNIU requires access to another SNIU, the ASM is 5S message to the Security Manager at A22. 

queried for the information. If it does not exist at that ASM, The Dialog Manager selects a dialog number and type and 

the ASM broadcasts an information request to all other sends a request to the remote SNIU at A23, and receives the 

ASMs. The NSM maintains a full directory that is subordi- number and type acknowledgement at A24. The Dialog 

nate to and updated from the ASMs. Each ASM maintains a Manager accepts the dialog at A25, then sends an audit 

master directory for its subordinate SNIUs, and a cache 60 message to the Security Manager at A26. The Session 

directory for a smaller set of connections requested by its Manager commands creation of a port for the dialog at A27, 

subordinate SNIUs. Each SNIU maintains a cache of direc- then sends an audit message to the Security Manager at A28. 

tory entries associated with the most recent connections. The User Interface creates a port for the dialog at A29, 

For internetwork support, the SM can provide services whereupon the transmission of the requested communica- 

such as an internetwork directory, internetwork digital sig- 65 tion can take place. 

nature support, and negotiation of security policies/ In FIG. 6B, the steps for the path setup of the receiving 

semantic. In a bridge SNIU, after a user is located on an alien SNIU are shown. The Association Manager receives the 
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certificate of the sending SNIU at Bl, commands the Sealer 
to unseal it at B2, and validates it at B3. It also receives the 
association setup message at B4, commands the Sealer to 
unseal it at B5, validates the association at B6, sets up the 
association at B7, sends a return certificate to the sending S 
SNIU at B8 and an acknowledgement message at B 9, then 
sends an audit message to the Security Manager at BIO. The 
Dialog Manager receives the dialog set up request from the 
Association Manager at Bll, requests user information from 
the Security Manager at B12, which is provided at B13, 10 
identifies the local process at B14, validates the dialog 
request at B15, accepts the dialog at B16, sends the dialog 
number and type acknowledgement to the Association Man- 
ager at B17 and an audit message at B18. The Session 
Manager commands a port for the dialog at B19 and sends 15 
an audit message at B20, whereupon the User Interface 
responds at B21 and begins to translate data for the user at 
B22. 

The SNIU may be implemented in the form of a software 
program executed on a general purpose computer coupled as 20 
a server between a host machine and the network. 
Alternatively, it may be programmed as a network commu- 
nications program resident in and executed from the host 
machine. However, for security purposes, the preferred form 
of the SNIU is a closed module having the security program 25 
functions resident in ROM and executed by a dedicated 
microprocessor. The closed module can incorporate the 
communications link or modem to the network. 

The SSM may be a software program co-resident with the 
SNIU program at a host site, or may be executed on a 30 
separate computer unit connected to the SNIU through the 
network. The ASM may be a software program co- resident 
with an SSM at a large host site, or may be executed on a 
separate computer unit for an area connected to the assigned 
SSMs through the network. The NSM is preferably operated 35 
from a separate, secure computer unit connected to the 
network and operated by the overall security administrator. 
The particular physical locations and forms of implementa- 
tion for the SNIUs and distributed platforms of the SM may 
vary depending upon the network configuration, desired 40 
security policies, and user audience. 

It is to be will be understood that the embodiments 
described herein are merely exemplary of the principles of 
the invention, and that a person skilled in the art may make 45 
many variations and modifications without departing from 
the spirit and scope of the invention. All such variations and 
modifications are intended to be included within the scope of 
the invention as defined in the appended claims. 
We claim: 50 
1. A multi-level network security apparatus for a com- 
puter network having at least one user coupled thereto, the 
at least one user selected from a group consisting of a host 
computer and a second untrusted network, comprising: 

a secure network interface unit (SNIU) having a first port 55 
for coupling to said at least one user and a second port 
for directly connecting to the computer network which 
operates at a user layer communications protocol, said 
SNIU providing security control by controlling access 
to the computer network at least one of the layers above 60 
the transport layer of the communications protocol, 
wherein the SNIU is implemented to create a global 
security perimeter for end-to-end communications and 
wherein the computer network may be individually 
secure or non-secure without compromising security of 65 
communications within said global security perimeter; 
and 
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a security management architecture, including a security 
manager (SM) coupled to said SNIU for causing said 
SNIU to be initialized, operated and configured for 
protecting the security communications transmitted 
through said SNIU, said SM capable of implementing 
at least one of a plurality of security policies. 

2. The network security apparatus according to claim 1, 
wherein said plurality of security policies is selected from 
the group consisting of discretionary access control, man- 
datory access control, object reuse, labeling, denial of ser- 
vice detection, data type integrity, cascading control and 
covert channel use detection. 

3. The network security apparatus according to claim 1, 
said SNIU further comprising an association manager oper- 
able to establish and control a user session at a session layer 
of interconnection between the at least one user and the 
network. 

4. The network security apparatus according to claim 3, 
said SNIU further comprising a dialog manager in commu- 
nication with said association manager and said security 
manager for setting up, controlling, and terminating a data 
path established in said SNIU. 

5. The network security apparatus according to claim 1, 
said SNIU further comprising a session manager for iden- 
tifying a user requesting access to the network. 

6. The network security apparatus according to claim 1, 
said SNIU further comprising an association manager which 
operates to establish and control a user session at a session 
layer of interconnection between the at least one user and the 
network if the at least one user is verified for access. 

7. The network security apparatus according to claim 1, 
wherein said SNIU further comprises means for performing 
a defined trusted session layer protocol (TSP), said TSP 
constituting said user layer communications protocol. 

8. The network security apparatus according to claim 1, 
wherein said SNIU is operable to prevent covert information 
flow within said global security perimeter for end-to-end 
communications. 

9. The network security apparatus according to claim 1, 
wherein said SNIU includes a data sealer for validating data 
transmitted through said SNIU. 

10. The network security apparatus according to claim 1, 
wherein functions of said SM comprise exchanging data and 
commands with said SNIU, performing initialization, con- 
figuration control, access control, sealer key management, 
and audit alarms. 

11. A method of providing multi-level network security 
for a computer network having at least one user coupled 
thereto, the at least one user selected from a group consisting 
of a host computer and at least a second network, said 
method comprising steps of: 

coupling a secure network interface unit (SNIU) to said at 
least one user and directly to the computer network 
which operates at a user layer communications 
protocol, said SNIU providing security control by 
controlling access to the computer network at at least 
one of the layers above the transport layer of the 
communications protocol, 

whereby the SNIU is implemented to create a global 
security perimeter for end-to-end communications and 
wherein the computer network may be individually 
secure or non-secure without compromising security of 
communications within said global security perimeter; 
and, 

performing security management utilizing a security man- 
ager (SM) connected to said SNIU for causing said 
SNIU to be operated and configured for protecting the 
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security communications transmitted through said 
SNIU between the at least one user and the computer 
network, said SM capable of implementing at least one 
of a plurality of security policies. 

12. The method of providing network security according 
to claim 11, wherein said plurality of security policies is 
selected from the group consisting of discretionary access 
control, mandatory access control, object reuse, labeling, 
denial of service detection, data type integrity, cascading 
control and covert channel use detection. 

13. The method of providing network security according 
to claim 11, wherein said step of performing security man- 
agement further comprises the step of establishing a defined 
trusted session layer protocol (TSP) through said SNIU, said 
TSP constituting said user layer communications protocol. 

14. The method of providing network security according 
to claim 11, further comprising the step of controlling a data 
path established in said SNIU. 

15. The method of providing network security according 
to claim 11, further comprising the step of identifying a user 
requesting access to the computer network. 

16. The method of providing network security according 
to claim 11, further comprising the step of controlling a user 
session at a session layer of interconnection between the at 
least one user and the computer network if the at least one 
user is verified for access. 

17. The method of providing network security according 
to claim 11, wherein functions of said SM comprises a SNIU 
security manager (SSM), and area security manager (ASM), 
and a network security manager (NSM). 

18. The method of providing network security according 
to claim 11, further comprising the step of preventing covert 
information flow within said global security perimeter for 
end-to-end communications. 

19. The method of providing network security according 
to claim 11, wherein said SNIU includes a data sealer for 
validating data transmitted through said SNIU. 

20. The method of providing network security according 
to claim 11, wherein functions of said SM comprise 
exchanging data and commands with said SNIU, performing 
initialization, configuration control, access control, sealer 
key management, and audit alarms. 

21. A method of providing multi-level network security 
for a computer network having at least one user coupled 
thereto, the at least one user selected from a group consisting 
of a host computer and at least a second network, said 
method comprising steps of: 

coupling a secure network interface unit (SNIU) to at least 
one user and directly to the computer network, and 
establishing a session layer interconnection between 
the at least one user and the computer network, 

whereby the SNIU is implemented to create a global 
security perimeter for end-to-end communications and 
wherein the computer network may be individually 
secure or non-secure without compromising security of 
communications within said global security perimeter; 
and, 

performing security management utilizing a security man- 
ager (SM) for causing said SNIU to be operated and 
configured for controlling access to the computer net- 
work at or above the session layer by verifying at or 
above the session layer if an identified user is autho- 
rized for access to the computer network. 

22. The method of providing network security according 
to claim 21, wherein said plurality of security policies is 
selected from the group consisting of discretionary access 
control, mandatory access control, object reuse, labeling, 
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denial of service detection, data type integrity, cascading 
control and covert channel use detection. 

23. The method of providing network security according 
to claim 21, wherein said step of performing security man- 

5 agement further comprises the step of establishing a defined 
trusted session layer protocol (TSP) through said SNIU, said 
TSP constituting said user layer communications protocol. 

24. The method of providing network security according 
to claim 21, further comprising the step of controlling a data 
path established in said SNIU. 

25. The method of providing network security according 
to claim 21, further comprising the step of identifying a user 
requesting access to the computer network. 

26. The method of providing network security according 
to claim 21, further comprising the step of controlling a user 

15 session at a session layer of interconnection between the at 
least one user and the computer network if the at least one 
user is verified for access. 

27. The method of providing network security according 
to claim 21, wherein functions of said SM comprises a SNIU 

20 security manager (SSM), and area security manager (ASM), 
and a network security manager (NSM). 

28. The method of providing network security according 
to claim 21, further comprising the step of preventing covert 
information flow within said global security perimeter for 

25 end-to-end communications. 

29. The method of providing network security according 
to claim 21, wherein said SNIU includes a data sealer for 
validating data transmitted through said SNIU. 

30. The method of providing network security according 
30 to claim 21, wherein functions of said SM comprise 

exchanging data and commands with said SNIU, performing 
initialization, configuration control, access control, sealer 
key management, and audit alarms. 

31. A network security apparatus for providing secure 
35 communication of information communicated via an 

untrusted network, said apparatus comprising: 

at least one secure network interface unit (SNIU) coupled 
between a host computer and said untrusted network, 
said SNIU performing user authentication and bidirec- 

40 tional multi-level access control for information com- 
municated via the untrusted network, said SNIU sup- 
porting accountability, data integrity, data 
confidentiality and network resource access policies on 
a per user basis, whereby said host computer and said 

45 untrusted network may be individually secure or non- 
secure without compromising security of communica- 
tion of information communicated via the untrusted 
network. 

32. The network security apparatus according to claim 31, 
50 wherein said network resource access policy include discre- 
tionary access control and mandatory access control. 

33. The network security apparatus according to claim 31, 
wherein said accountability policy includes auditing. 

34. The network security apparatus according to claim 31, 
55 said accountability, data integrity, data confidentiality and 

network resource access policies include labeling, cascading 
control, and covert channel use detection. 

35. The network security apparatus according to claim 31, 
further comprising a security manager for causing said 

60 SNIU to be initialized, operated, and configured for protect- 
ing the security communications transmitted through said 
SNIU. 

36. The network security apparatus according to claim 35, 
said SNIU further comprising an association manager oper- 

65 able to establish and control a user session layer of inter- 
connection between the computer host and the untrusted 
network. 
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37. The network security apparatus according to claim 36, 
said SN1U further comprising a dialog manager in commu- 
nication with said association manager and said security 
manager for setting up, controlling, and terminating a data 
path established in said SNIU. 

38. The network security apparatus according to claim 31, 
said SNIU further comprising a session manager for iden- 
tifying a user requesting access to the untrusted network. 

39. The network security apparatus according to claim 35, 
said SNIU further comprising an association manager which 
operates to establish and control a user session at a session 
layer of interconnection between the computer host and the 
untrusted network if the user is verified. 

40. The network security apparatus according to claim 31, 
wherein said SNIU further comprises means for performinig 
a defined trusted session layer protocol (TSP), said TSP 
constituting a user layer communications protocol. 

41. A network security system for providing secure com- 
munication of information communicated via an untrusted 
network, said system comprising: 

a plurality of secure network interface units (SNIUs) each 
coupled between a respective host computer and said 
untrusted network, each said SNIU performing user 
authentication and bidirectional multi- level access con- 
trol for information communicated via the untrusted 
network, said SNIU supporting accountability, data 
integrity, data confidentiality and network resource 
access policies on a per user basis, whereby said host 
computer and said untrusted network may be individu- 
ally secure or non-secure without compromising secu- 
rity of information communicated via the untrusted 
network; and 

a security management architecture including a security 
manager (SM) coupled to each said SNIU having 
means for causing each SNIU to be initialized, operated 
and configured for protecting the security communica- 
tions transmitted through each said SNIU, said SM 
capable of implementing at least one of a plurality of 
security policies. 

42. The network security system according to claim 41, 
wherein at least one of said plurality of SNIUs is operative 
to act as a gateway between networks. 

43. A multi-level network security apparatus for commu- 
nicating over an untrusted network between a computer user 
and at least a second network, comprising: 

a secure network interface unit (SNIU) coupled at a first 
port to said computer user and at a second port to said 
untrusted network, said SNIU providing security con- 
trol by controlling access and communications to the 
untrusted network, said SNIU operable to initialize and 
maintain a communication path across the untrusted 
network and said at least one second network with a 
remote SNIU for passing data therebetween; 

said remote SNIU coupled directly between said untrusted 
network and said second network and operable as a 
gateway to communicate with said SNIU over said 
communication path to transceive data at said second 
network when said second network uses different secu- 
rity labeling than said untrusted network; 

wherein each SNIU is implemented to create a global 
security perimeter for end-to-end communications; and 

a security management architecture including a security 
manager (SM) coupled to each said SNIU having 
means for causing each SNIU to be initialized, operated 
and configured for protecting the security communica- 
tions transmitted through each said SNIU, said SM 



10,591 

16 

capable of implementing at least one of a plurality of 
security policies. 

44. The apparatus of claim 4, wherein said means for 
performing said SM functions are distributed over three 

5 platforms, i.e., a SNIU security manager (SSM), an area 
security manager (ASM) and a network security manager 
(NSM), wherein an NSM associated with said untrusted 
network and said SNIU and a second NSM associated with 
said second network and said remote SNIU both operate to 
control and initialize said remote SNIU. 

45. A multi-level network security apparatus for commu- 
nicating over an untrusted network between a computer user 
and at least a second network, comprising: 

a secure network interface unit (SNIU) coupled at a first 
port to said computer user and at a second port to said 

15 untrusted network, said SNIU providing security con- 
trol by controlling access and communications to the 
untrusted network, said SNIU operable to initialize and 
maintain a communication path across the untrusted 
network and said at least one second network with a 

20 remote SNIU for passing data therebetween via duplex, 
simplex, or multicast communications means; 
said remote SNIU coupled directly between said untrusted 
network and said second network and operable as a 
router to communicate with said SNIU over said com- 

25 munication path to transceive data at said second 
network when said second network uses the same 
security labeling as said untrusted network and operates 
at different protection levels; 
wherein each SNIU is implemented to create a global 

30 security perimeter for end-to-end communications; and 
a security management architecture including a security 
manager (SM) coupled to each said SNIU having 
means for causing each SNIU to be initialized, operated 
and configured for protecting the security communica- 

35 tions transmitted through each said SNIU, said SM 
capable of implementing at least one of a plurality of 
security policies. 

46. A method for providing multi-level network security 
for an untrusted computer network having at least one host 
computer associated with a user coupled thereto, said 

40 method comprising the steps of: 

coupling a secure network interface unit (SNIU) between 
said at least one host computer and said untrusted 
network, 

establishing a session layer interconnection between said 
45 at least one host computer and the untrusted network, 
performing user authentication and bi-directional multi- 
level access control for information communicated via 
said untrusted network utilizing said SNIU; and 
performing security management by providing 
50 accountability, data integrity, data confidentiality, and 
network resource access policies on a per user basis, 
whereby said host computer and said untrusted network 
may be individually secure or non-secure without com- 
promising security of communication of information 
55 communicated via the untrusted network. 

47. The method of providing network security according 
to claim 46, wherein said step of performing security man- 
agement further comprises the step of establishing a defined 
trusted session layer protocol (TSP) through said SNIU, said 

60 TSP constituting user layer communications protocol. 

48. The method of providing network security according 
to claim 46, further comprising the step of controlling a data 
path established in said SNIU. 

49. The method of providing network security according 
65 to claim 46, further comprising the step of identifying a user 

associated with a host computer requesting access to the 
network. 
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50. The method of providing network security according 
to claim 49, further comprising the step of controlling a user 
session at a session layer of interconnection between the at 
least one host computer and the untrustcd network if the 
associated user is verified for access. 5 

51. The method of providing network security according 
to claim 46, wherein the step of performing security man- 
agement further comprises preventing covert information 
flow within a global security perimeter associated with the 
SNIU for end-to-end communications. 10 

52. The method of providing network security according 
to claim 46, wherein ftmctions of said security management 
comprise exchanging data and commands with said SNIU, 
performing initialization, configuration control, access 
control, sealer key management, and audit alarms. 15 

53. A network security apparatus for providing secure 
communication of information communicated via an 
untrusted network, said apparatus comprising: 

bidirectional means for performing user authentication 
and bidirectional multi-level access control for infor- 20 
mation communicated via the untrusted network; 
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security means for causing said bi-directional means to be 
initialized, operated, and configured for protecting the 
security communications transmitted to said 
bi-directional means, said security means capable of 
implementing at least one of a plurality security poli- 
cies on a per user basis, wherein said bidirectional 
means is coupled between a host computer and said 
untrusted network, whereby said host computer and 
said untrusted network may be individually secure or 
non-secure without compromising security of commu- 
nication of information communicated by said 
untrusted network. 
54. A network security apparatus according to claim 53, 
wherein said plurality of security policies is selected from a 
group consisting of discretionary access control, mandatory 
access control, labeling, denial of service detection, data 
typing integrity, cascading control, and covert channel use 
detection. 
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